What is claimed is: 

1 1 . A security container that secures a document component by encapsulating, within the 

2 security container, the document component, conditional logic for controlling operations on the 

3 document component, and key distribution information xisable for controlling access to the 

4 document component. 

1 2. The security container according to Claim 1 , wherein the security container secures a 

2 portion of a higher-level document. 

1 3. The seciirity container according to Claim 2, wherein the higher-level document has more 

. 2 than one portion secured by security containers. 

1 4. A method of securing document content using security containers, comprising the step of 

2 encapsulating, within a security container, a document component, conditional logic for 

3 controlling operations on the document component, and key distribution information usable for 

4 controlling access to the document component. 

1 5, The method according to Claim 4, wherein the key distribution information fiuther 

2 comprises an identification of one or more users and/or processes that are authorized to access 

3 the document component. 



1 



6. The method according to Claim 5, wherein the key distribution information further 
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2 comprises a symmetric key that encrypted both the document component and the conditional 

3 logic that are encapsulated within the security container, wherein the symmetric key is stored in an 

4 encrypted form for decryption by the authorized users and/or processes. 

1 7. The method according to Claim 6, wherein the encrypted form of the synmietric key 

2 comprises a separate version of the key for each distinct user, process, group of users, or group of 

3 processes, wherein the separate version has been encrypted with a public key associated with the 

4 corresponding distinct user, process, group of users, or group of processes, 

1 8. The method according to Claim 5, wherein the authorized users and/or the authorized 

2 processes are specified individually or as groups. 

1 9. The method according to Claim 4, wherein the conditional logic fiirther controls access to 

2 the document component. 

1 10. The method according to Claim 9, A^erein the key distribution information further 

2 controls access to the conditional logic. 

1 11. The method according to Claim 4, wherein the document component and the conditional 

2 logic are encrypted before encq)sulation within the security container. 



1 



12. The method according to Claim 4, wherein the secxirity container is encoded in structured 
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2 



document format. 



1 13. The method according to Claim 12, wherein the structured docimient format is Extensible 

2 Markup Language ("XML") format. 

1 14. The method according to Claim 5, wherein the identification of the one or more users 

2 and/or processes comprises an identification of at least one group, the group having as members 

3 one or more of the users and/or processes. 

1 15. The method according to Claim 14, wherein the members are determined dynamically, 

2 upon receiving a request to access to the document component. 

1 16. The method according to Claim 15, wherein the dynamic determination further comprises 

2 accessing a repository where the members of the group are identified. 

1 17. The method according to Claim 4, further comprising the steps of: 

2 receiving, from a requester, a request to access the document component; 

3 programmatically determining, using the key distribution information, whether the 

4 requester is authorized to access the document component; and 

5 programmatically evalxiating, using the conditional logic, whether the request can be 

6 granted, when the programmatically determining step has a positive result, and rejecting the 

7 request when the programmatically determining step has a negative result. 
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1 18. The method according to Claim 1 7, wherein the conditional logic evaluates at least one of: 

2 an identity of the requester; a device used by the requester; a context of the requester; a zone of 

3 an application used by the requester; a user profile of the requester; and a target destination of the 

4 request. 

1 1 9. A computer program product for securing document content using security containers, the 

2 computer program product embodied on one or more computer-readable media and comprising: 

3 computer-readable program code means for receiving, fi-om a requester, a request to 

4 access document content, wherein the document content is encapsulated as a document 

5 component within a security container along with conditional logic for controlling operations on 

6 the document component and key distribution information usable for controlling access to the 

7 document component; 

8 computer-readable program code means for programmatically determining, using the key 

9 distribution information, whether the requester is authorized to access the document component; 

10 and 

1 1 computer-readable program code means for programmatically evaluating, using the 

12 conditional logic, whether the request can be granted, when operation of the computer-readable 

1 3 program code means for programmatically determining yields a positive result, and for rejecting 

14 the request when operation of the computer-readable program code means for programmatically 

1 5 determining yields a negative result. 
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1 20. A system for seciiring document content using security containers, comprising: 

2 a security container that encapsulates a docxmient component, conditional logic for 

3 controlling operations on the document component, and key distribution information usable for 

4 controlling access to the document component; 

5 means for receiving, from a requester, a request to access the document component; 

6 means for programmatically determining, using the key distribution information, whether 

7 the requester is authorized to access the document component; and 

8 means for programmatically evaluating, using the conditional logic, whether the request 

9 can be granted, when operation of the means for programmatically determining yields a positive 

10 result, and for rejecting the request when operation of the means for programmatically 

1 1 determining yields a negative result. 

1 21 . The system according to Claim 20, wherein the security container is embedded within a 

2 document. 

1 22. The system according to Claim 20, wherein the security container encapsulates the 

2 document component on a system clipboard. 

1 23. The system according to Claim 20, wherein the security container is placed on a user 

2 interface. 
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24. The system according to Claim 20, wherein the security container encapsulates the 
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2 document component for exchange using interprocess communications. 

1 25. The system according to Claim 20, wherein the secxirity container encapsulates the 

2 document component for exchange using a messaging system. 

1 26. The system according to Claim 20, further comprising means for copying the document 

2 component to a target destination, wherein the means for copying copies the entire security 

3 container in order to copy the document component 

1 27. A method of securing document content using security containers, comprising steps of: 

2 receiving, from a requester, a request to access document content, v^erein the document 

3 content is encapsulated as a document component within a security container along with 

4 conditional logic for controlling operations on the document component and key distribution 

5 information usable for controlling access to the document component; 

6 programmatically determining, using the key distribution information, whether the 

7 requester is authorized to access the document component; 

8 programmatically evaluating, using the conditional logic, whether the request can be 

9 granted, when the programmatically determining step has a positive result, and for rejecting the 

1 0 request when the programmatically determining step has a negative result; and 

1 1 charging a fee for carrying out one of more of the receiving, programmatically 

12 determining, and programmatically evaluating steps. 
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1 28. A method of securing dociiment content xising security containers, comprising steps of: 

2 receiving, fix)m a requester, a request to access document content, wherein the docimient 

3 content is encapsulated as a document component within a security container along with 

4 conditional logic for controlling operations on the document component and key distribution 

5 information usable for controUmg access to the document component; 

6 programmatically determining, using the key distribution information, whether the 

7 requester is authorized to access the document component; 

8 programmatically evaluating, using the conditional logic, whether the request can be 

9 granted, when the programmatically determining step has a positive result, and for rejecting the 

1 0 request when the programmatically determining step has a negative result; and 

1 1 charging a fee to the requester when the programmatically evaluating step determines that 

12 the request can be granted. 
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